Import LDAP User Groups
As an Administrator, an efficient method of creating an LDAP user group is to import an LDAP user group from a remote LDAP server. To import a user group, you must use the built-in LDAP Browser, which gets launched during the import procedure.
As an Administrator, an efficient method of creating an LDAP user group is to import an LDAP user group from a remote LDAP server. To import a user group, you must use the built-in
LDAP Browser, which gets launched during the import procedure.
This topic explains the following tasks:
Launch the LDAP Browser
To import LDAP Groups into
Privileged Access Manager, follow these steps:
- Verify that your appliance is licensed on theConfiguration,Licensingpage. A license is required to launch the LDAP Browser.
- Navigate toConfiguration,3rd Party, LDAP,and configure access to an LDAP server.Provisioning the LDAP server is necessary to make LDAP groups available for import.
- SelectUsers,Manage User Groups.
- SelectImport LDAP Groups.The LDAP Browser launches. You are prompted to select an LDAP domain.Privileged Access Managerdoes not support SSH and LDAP connections from a native browser due to strong cryptography support. Update your local JCE with unlimited strength policy jars that are based on your JRE version.
- Go to the next procedure to import the LDAP group.
If the LDAP server does not support the cipher suite that is used by the
Privileged Access ManagerLDAP browser, a connection failure occurs. The following error message appears: “Possible cipher mismatch with LDAP server.” During provisioning, ensure that the ciphers that are supported on the target LDAP server include those ciphers that are supported by the LDAP browser.
Import LDAP Groups
In the LDAP Browser, the
Exploretab in the left pane shows a graphical representation of an LDAP tree. Select any object to see the object attributes.
Follow these steps:
- Select the LDAP domain and select OK to connect to it. The browser connects and displays all records below that domain.
- Navigate the LDAP tree in the left pane and locate the device group that you want to import. Traverse the tree in any order or direction.
- To import a device group to import, select the checkbox next to the group.
- Repeat these steps for each group you want to import.
- (Optional) Review the device groups that are selected for import:
- SelectPAM Groups,Manage selected groups to register with the PAM appliance. The list of the Distinguished Names for all selected groups displays.
- Select and edit any group DN, or remove it from the staging list.
- SelectPAM Groups,Register selected groups with the PAM appliance. A window opens displaying a list of the staged groups. You can watch the progress, and can display any messages that are associated with the actions.
- When ready to import the groups, selectRegister Groupsin the lower-left corner.Privileged Access Managerimports the groups in the order that they are listed. The browser provides feedback and cancellation options throughout the process.You can cancel registration of a group, or you can cancel the registration of all groups, even after they have started.When the imports are finished, each line item in the registration window shows a green checkmark for success or a redXfor import failure/cancellation.
- (Optional) Review the status of the full list and each individual group by selecting its line item. If you made changes to an individual group or any errors occurred, the lowerMessagespanel provides details.
- Go toUsers,Manage User Groups,and confirm that the imported user groups appear on the page.Roles are inherited from the LDAP group. The default role is Standard User. Ignore theRolespanel, which indicates "No roles selected."You cannot delete a record from an imported device group. Also, you cannot edit an LDAP-imported field.
Refresh LDAP Groups
You can refresh an LDAP Group to update the records in the group.
Follow these steps:
- In the UI, selectUsers, Manage User Groups.
- Toward the right side of the page, selectRefresh LDAP Groups.The LDAP Browser launches the Refresh Registered LDAP Groups window.
- Select one or more groups you want to refresh and select Refresh Selected Groups.
Refresh Active Directory User Groups After an OU Change
A change to organization unit (OU) of a user results in a change to the user DN. The modified DN can impact an access policy.
PAMhandles an OU change when the Active Directory group is refreshed automatically. During a refresh, the appliance searches the remote Active Directory Server and updates its user record. Despite the OU change, the policy for that user is preserved.
To reflect an OU change immediately, you can manually refresh an Active Directory group in
PAM. To keep the data in sync with Active Directory, refresh all the groups that now contain the user and all the groups from where the user moved.
If an LDAP group is in a parent group
memberattribute, then users in the parent and child groups are imported with the parent. For example, consider groups CommunityA and CommunityB, and Person1. CommunityB is a member of CommunityA and it is nested in CommunityA. Person1 is the sole member of the group CommunityB. If you import the CommunityA group, you see every member of CommunityA and member Person 1 from CommunityB.
LDAP Browser Menus and Controls
The following table explains the LDAP Browser menus and controls options:
Copy the Distinguished Name of selected entry to the Clipboard.
Display all the groups in this container.
After first selecting an object in the tree under the Explore tab, clicking this button will then switch you to the Results tab. Once there, you see a (fully expanded) tree of all groups (objectClass: group) contained within the selected object.
Log in to an LDAP database. Invokes a pop-up window from which you can select from currently accessible domains.
Log out from the current LDAP domain.
Print currently selected node.
Close browser window. The browser continues running while the connection is active. During that time, you can invoke the LDAP Browser by selecting Users, Manage Groups, Import LDAP Group.
Viewing options for graphical menu items below the main menu
Show Button Bar
Show Search Bar
Set LDAP Connection Timeout
Maximum time (seconds) before a connection attempt is canceled. This timeout is useful when multiple servers are specified for a particular LDAP domain in
Default: 60 seconds
Set Result Set Page Size
Maximum number of records in an LDAP directory before pagination is triggered for representation in the browser tree.
Number of records in each page of a paginated subtree.
A bookmark can be made on any leaf in a tree. You can select the bookmark later directly from the menu. Bookmarks are saved for each domain, and appear only when the browser is connected to that domain.
Opens an editing window for bookmarking currently selected leaf:
Opens a bookmark selection window. Selection in turn opens a bookmark editing window (see Add Bookmark).
Opens a bookmark selection window. Selection in turn deletes and confirms deletion of the bookmark.
Opens a detailed search specification window. (Contrast to Quick Search.)
Opens a window with a list of filters for selection and deletion.
Return Attribute Lists
Next Page of Results
Retrieve next page of results and display page wrapper (Page n Results) in the Explore tree (when green; otherwise, gray when inapplicable).
Suspends current LDAP request. Stopping a request is useful when the page size is large and the browser is searching a large database.
Privileged Access ManagerGroups
Privileged Access Manager-specific menu items
Manage selected groups to register with the appliance.
Lists all items that are currently selected (or staged) for importing to
Privileged Access Manager.
Register selected groups with the appliance
Perform the input operation on the items that are selected, which are listed in Manage selected groups to register with the appliance.
Pagination is available for Active Directory (AD) and OpenLDAP.
The LDAP Browser has a pagination feature to reduce overhead on LDAP access. The browser setting
Result Set Page Sizespecifies the maximum number of members (directories, groups, or objects; or nodes) for any directory. (This value is initially set to a default of 1000.) If the overhead required to display all directory members is too heavy, the administrator can reduce this variable value.
For example, set this value to 5 to insert a pagination leaf for more than five members in any directory. The LDAP Browser inserts the initial pagination leaf is when that directory is opened, before displaying the actual directory contents.
Search and Quick Search Options
If you know the name of the directory or object you are looking for, use one of two search options available in LDAP Browser. If the tree appears paginated in the browser, the search can still traverse the entire tree.
You can use the
Quick Searchbutton in the upper-right corner of the browser to locate the desired object.
Follow these steps:
- In theExploretab tree, select the node that you want to be at the top of the search.Your choice is reflected in the Quick Search label.
- To the right of the Search From label, select an attribute from the drop-down list, and enter a search string in the text box.
- SelectQuick Search.A filtered tree appears in theResultstab.
- Select an object in the tree to seeEntry Attributeson the right.
LDAP Browser Search Options
To refine search results to a limited subset of objects or saved for future use, select menu item
The following table explains the search settings.
Assign a bookmark name for the filter: When you have filled in the remainder of this dialog, select Save in the lower right. The filter is then available from the Search menu.
Start Searching From
Identify the root node for your search.
Resolve aliases while searching
When checked: LDAP Browser returns the real entry to which the alias points. When unchecked: LDAP Browser returns all alias entries as regular entries.
Resolve aliases when finding base object
Select Search Level
Search Base Object
Search Next Level
Search Full Subtree
Information to retrieve
Allows you to select from a saved list in Return Attributes Lists.
Negative of (entire) constructed entry
Menu of all LDAP attributes: accountExpires through x500uniqueIdentifier
Logic to apply to the attribute in this expression
Text being tested with this expression
Add another logic template to concatenate with other defined logic
Remove most recently defined logic
Save entire filled-in template to the label assigned in a filter name
Load existing filter to this template for editing or copying.
Show the LDAP filter
Perform search as currently defined in this template.
Close dialog without executing a search or saving it to a filter name
Double-Byte Characters for User and User Group Names
Privileged Access Managerprovides double-byte character support. The appliance allows East Asian characters in data store and in the UI representation of user and user group names. LDAP user names are imported and displayed with the double-byte characters maintained.
User records with double-byte characters can be imported to LDAP groups but not to individual local user records.